Inspec errors using https://github.com/dev-sec/linux-baseline

Question

I am running the following command inspec exec https://github.com/dev-sec/linux-baseline -t ssh://ubuntu@10.0.1.22 -i ~/.ssh/id_rsa --sudo

And I am getting failures for

• Check login.defs (4 failed)
  • All these params look like they should pass
• sysctl-29: Disable loading kernel modules
  • I accidentally set echo "1" > /proc/sys/kernel/modules_disabled and now I'm unable to set it back :-(
• package-07: Install syslog server package
  • What package should I install?
• os-06: Check for SUID/ SGID blacklist
  • Where can I set this?

ubuntu@ip-10-0-1-10:~/.ssh$ inspec exec https://github.com/dev-sec/linux-baseline -t ssh://ubuntu@10.0.1.22 -i ~/.ssh/id_rsa --sudo
/usr/local/rvm/gems/ruby-2.3.1@global/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:679: warning: already initialized constant RSpec::Core::ExampleGroup::INSTANCE_VARIABLE_TO_IGNORE
/usr/local/rvm/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:679: warning: previous definition of INSTANCE_VARIABLE_TO_IGNORE was here
/usr/local/rvm/gems/ruby-2.3.1@global/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:722: warning: already initialized constant RSpec::Core::ExampleGroup::WrongScopeError
/usr/local/rvm/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:722: warning: previous definition of WrongScopeError was here
verify_host_key: false is deprecated, use :never
[2020-08-15T21:22:01+00:00] WARN: URL target https://github.com/dev-sec/linux-baseline transformed to https://github.com/dev-sec/linux-baseline/archive/master.tar.gz. Consider using the git fetcher
[2020-08-15T21:22:01+00:00] WARN: Attribute 'login_defs_umask' does not have a value. Use --attrs to provide a value for 'login_defs_umask' or specify a default  value with `attribute('login_defs_umask', default: 'somedefault', ...)`.
[2020-08-15T21:22:01+00:00] WARN: Attribute 'login_defs_passmaxdays' does not have a value. Use --attrs to provide a value for 'login_defs_passmaxdays' or specify a default  value with `attribute('login_defs_passmaxdays', default: 'somedefault', ...)`.
[2020-08-15T21:22:01+00:00] WARN: Attribute 'login_defs_passmindays' does not have a value. Use --attrs to provide a value for 'login_defs_passmindays' or specify a default  value with `attribute('login_defs_passmindays', default: 'somedefault', ...)`.
[2020-08-15T21:22:01+00:00] WARN: Attribute 'login_defs_passwarnage' does not have a value. Use --attrs to provide a value for 'login_defs_passwarnage' or specify a default  value with `attribute('login_defs_passwarnage', default: 'somedefault', ...)`.
[2020-08-15T21:22:02+00:00] WARN: Attribute 'blacklist' does not have a value. Use --attrs to provide a value for 'blacklist' or specify a default  value with `attribute('blacklist', default: 'somedefault', ...)`.
[2020-08-15T21:22:02+00:00] WARN: Attribute 'syslog_pkg' does not have a value. Use --attrs to provide a value for 'syslog_pkg' or specify a default  value with `attribute('syslog_pkg', default: 'somedefault', ...)`.
[2020-08-15T21:22:02+00:00] WARN: Attribute 'sysctl_forwarding' does not have a value. Use --attrs to provide a value for 'sysctl_forwarding' or specify a default  value with `attribute('sysctl_forwarding', default: 'somedefault', ...)`.
[2020-08-15T21:22:02+00:00] WARN: Attribute 'kernel_modules_disabled' does not have a value. Use --attrs to provide a value for 'kernel_modules_disabled' or specify a default  value with `attribute('kernel_modules_disabled', default: 'somedefault', ...)`.
Profile: DevSec Linux Security Baseline (linux-baseline)
Version: 2.4.6
Target:  ssh://ubuntu@10.0.1.22:22
✔  os-01: Trusted hosts login
     ✔  File /etc/hosts.equiv should not exist
  ✔  os-02: Check owner and permissions for /etc/shadow
     ✔  File /etc/shadow should exist
     ✔  File /etc/shadow should be file
     ✔  File /etc/shadow should be owned by "root"
     ✔  File /etc/shadow should not be executable
     ✔  File /etc/shadow should not be readable by other
     ✔  File /etc/shadow group should eq "shadow"
     ✔  File /etc/shadow should be writable by owner
     ✔  File /etc/shadow should be readable by owner
     ✔  File /etc/shadow should be readable by group
  ✔  os-03: Check owner and permissions for /etc/passwd
     ✔  File /etc/passwd should exist
     ✔  File /etc/passwd should be file
     ✔  File /etc/passwd should be owned by "root"
     ✔  File /etc/passwd should not be executable
     ✔  File /etc/passwd should be writable by owner
     ✔  File /etc/passwd should not be writable by group
     ✔  File /etc/passwd should not be writable by other
     ✔  File /etc/passwd should be readable by owner
     ✔  File /etc/passwd should be readable by group
     ✔  File /etc/passwd should be readable by other
     ✔  File /etc/passwd group should eq "root"
  ✔  os-03b: Check passwords hashes in /etc/passwd
     ✔  /etc/passwd passwords should be in "x" and ""
  ✔  os-04: Dot in PATH variable
     ✔  Environment variable PATH split should not include ""
     ✔  Environment variable PATH split should not include "."
  ×  os-05: Check login.defs (4 failed)
     ✔  File /etc/login.defs should exist
     ✔  File /etc/login.defs should be file
     ✔  File /etc/login.defs should be owned by "root"
     ✔  File /etc/login.defs should not be executable
     ✔  File /etc/login.defs should be readable by owner
     ✔  File /etc/login.defs should be readable by group
     ✔  File /etc/login.defs should be readable by other
     ✔  File /etc/login.defs group should eq "root"
     ✔  login.defs ENV_SUPATH should include "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
     ✔  login.defs ENV_PATH should include "/usr/local/bin:/usr/bin:/bin"
     ×  login.defs UMASK should include #<Inspec::Attribute::DEFAULT_ATTRIBUTE:0x00000005a1ea00 @name="login_defs_umask">
     can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to String (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_str gives Inspec::Attribute::DEFAULT_ATTRIBUTE)
     ×  login.defs PASS_MAX_DAYS should eq #<Inspec::Attribute::DEFAULT_ATTRIBUTE:0x00000005a1e3e8 @name="login_defs_passmaxdays">
     can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to Array (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_ary gives Inspec::Attribute::DEFAULT_ATTRIBUTE)
     ×  login.defs PASS_MIN_DAYS should eq #<Inspec::Attribute::DEFAULT_ATTRIBUTE:0x00000005a1dee8 @name="login_defs_passmindays">
     can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to Array (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_ary gives Inspec::Attribute::DEFAULT_ATTRIBUTE)
     ×  login.defs PASS_WARN_AGE should eq #<Inspec::Attribute::DEFAULT_ATTRIBUTE:0x00000005a1da38 @name="login_defs_passwarnage">
     can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to Array (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_ary gives Inspec::Attribute::DEFAULT_ATTRIBUTE)
     ✔  login.defs LOGIN_RETRIES should eq "5"
     ✔  login.defs LOGIN_TIMEOUT should eq "60"
     ✔  login.defs UID_MIN should eq "1000"
     ✔  login.defs GID_MIN should eq "1000"
  ↺  os-05b: Check login.defs - RedHat specific
     ↺  Skipped control due to only_if condition.
  ×  os-06: Check for SUID/ SGID blacklist
     ×  suid_check diff
     can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to Array (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_ary gives Inspec::Attribute::DEFAULT_ATTRIBUTE)
  ✔  os-07: Unique uid and gid
     ✔  /etc/passwd uids should not contain duplicates
     ✔  /etc/group gids should not contain duplicates
  ✔  os-08: Entropy
     ✔  3092 should >= 1000
  ✔  os-09: Check for .rhosts and .netrc file
     ✔  [] should be empty
  ✔  os-10: CIS: Disable unused filesystems
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install cramfs /bin/true"
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install freevxfs /bin/true"
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install jffs2 /bin/true"
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install hfs /bin/true"
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install hfsplus /bin/true"
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install squashfs /bin/true"
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install udf /bin/true"
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install vfat /bin/true"
  ✔  os-11: Protect log-directory
     ✔  File /var/log should be directory
     ✔  File /var/log should be owned by "root"
     ✔  File /var/log group should match /^root|syslog$/
  ✔  package-01: Do not run deprecated inetd or xinetd
     ✔  System Package inetd should not be installed
     ✔  System Package xinetd should not be installed
  ✔  package-02: Do not install Telnet server
     ✔  System Package telnetd should not be installed
  ✔  package-03: Do not install rsh server
     ✔  System Package rsh-server should not be installed
  ✔  package-05: Do not install ypserv server (NIS)
     ✔  System Package ypserv should not be installed
  ✔  package-06: Do not install tftp server
     ✔  System Package tftp-server should not be installed
  ×  package-07: Install syslog server package
     ×  System Package Attribute 'syslog_pkg' does not have a value. Skipping test. should be installed
     expected that System Package Attribute 'syslog_pkg' does not have a value. Skipping test. is installed
  ✔  package-08: Install auditd
     ✔  System Package auditd should be installed
     ✔  Audit Daemon Config log_file should cmp == "/var/log/audit/audit.log"
     ✔  Audit Daemon Config log_format should cmp == "raw"
     ✔  Audit Daemon Config flush should match /^incremental|INCREMENTAL|incremental_async|INCREMENTAL_ASYNC$/
     ✔  Audit Daemon Config max_log_file_action should cmp == "keep_logs"
     ✔  Audit Daemon Config space_left should cmp == 75
     ✔  Audit Daemon Config action_mail_acct should cmp == "root"
     ✔  Audit Daemon Config space_left_action should cmp == "SYSLOG"
     ✔  Audit Daemon Config admin_space_left should cmp == 50
     ✔  Audit Daemon Config admin_space_left_action should cmp == "SUSPEND"
     ✔  Audit Daemon Config disk_full_action should cmp == "SUSPEND"
     ✔  Audit Daemon Config disk_error_action should cmp == "SUSPEND"
  ✔  package-09: CIS: Additional process hardening
     ✔  System Package prelink should not be installed
  ↺  sysctl-01: IPv4 Forwarding
     ↺  Skipped control due to only_if condition.
  ✔  sysctl-02: Reverse path filtering
     ✔  Kernel Parameter net.ipv4.conf.all.rp_filter value should eq 1
     ✔  Kernel Parameter net.ipv4.conf.default.rp_filter value should eq 1
  ✔  sysctl-03: ICMP ignore bogus error responses
     ✔  Kernel Parameter net.ipv4.icmp_ignore_bogus_error_responses value should eq 1
  ✔  sysctl-04: ICMP echo ignore broadcasts
     ✔  Kernel Parameter net.ipv4.icmp_echo_ignore_broadcasts value should eq 1
  ✔  sysctl-05: ICMP ratelimit
     ✔  Kernel Parameter net.ipv4.icmp_ratelimit value should eq 100
  ✔  sysctl-06: ICMP ratemask
     ✔  Kernel Parameter net.ipv4.icmp_ratemask value should eq 88089
  ✔  sysctl-07: TCP timestamps
     ✔  Kernel Parameter net.ipv4.tcp_timestamps value should eq 0
  ✔  sysctl-08: ARP ignore
     ✔  Kernel Parameter net.ipv4.conf.all.arp_ignore value should eq 1
  ✔  sysctl-09: ARP announce
     ✔  Kernel Parameter net.ipv4.conf.all.arp_announce value should eq 2
  ✔  sysctl-10: TCP RFC1337 Protect Against TCP Time-Wait
     ✔  Kernel Parameter net.ipv4.tcp_rfc1337 value should eq 1
  ✔  sysctl-11: Protection against SYN flood attacks
     ✔  Kernel Parameter net.ipv4.tcp_syncookies value should eq 1
  ✔  sysctl-12: Shared Media IP Architecture
     ✔  Kernel Parameter net.ipv4.conf.all.shared_media value should eq 1
     ✔  Kernel Parameter net.ipv4.conf.default.shared_media value should eq 1
  ✔  sysctl-13: Disable Source Routing
     ✔  Kernel Parameter net.ipv4.conf.all.accept_source_route value should eq 0
     ✔  Kernel Parameter net.ipv4.conf.default.accept_source_route value should eq 0
  ✔  sysctl-14: Disable acceptance of all IPv4 redirected packets
     ✔  Kernel Parameter net.ipv4.conf.default.accept_redirects value should eq 0
     ✔  Kernel Parameter net.ipv4.conf.all.accept_redirects value should eq 0
  ✔  sysctl-15: Disable acceptance of all secure redirected packets
     ✔  Kernel Parameter net.ipv4.conf.all.secure_redirects value should eq 0
     ✔  Kernel Parameter net.ipv4.conf.default.secure_redirects value should eq 0
  ✔  sysctl-16: Disable sending of redirects packets
     ✔  Kernel Parameter net.ipv4.conf.default.send_redirects value should eq 0
     ✔  Kernel Parameter net.ipv4.conf.all.send_redirects value should eq 0
  ✔  sysctl-17: Disable log martians
     ✔  Kernel Parameter net.ipv4.conf.all.log_martians value should eq 1
     ✔  Kernel Parameter net.ipv4.conf.default.log_martians value should eq 1
  ✔  sysctl-18: Disable IPv6 if it is not needed
     ✔  Kernel Parameter net.ipv6.conf.all.disable_ipv6 value should eq 1
  ↺  sysctl-19: IPv6 Forwarding
     ↺  Skipped control due to only_if condition.
  ✔  sysctl-20: Disable acceptance of all IPv6 redirected packets
     ✔  Kernel Parameter net.ipv6.conf.default.accept_redirects value should eq 0
     ✔  Kernel Parameter net.ipv6.conf.all.accept_redirects value should eq 0
  ✔  sysctl-21: Disable acceptance of IPv6 router solicitations messages
     ✔  Kernel Parameter net.ipv6.conf.default.router_solicitations value should eq 0
  ✔  sysctl-22: Disable Accept Router Preference from router advertisement
     ✔  Kernel Parameter net.ipv6.conf.default.accept_ra_rtr_pref value should eq 0
  ✔  sysctl-23: Disable learning Prefix Information from router advertisement
     ✔  Kernel Parameter net.ipv6.conf.default.accept_ra_pinfo value should eq 0
  ✔  sysctl-24: Disable learning Hop limit from router advertisement
     ✔  Kernel Parameter net.ipv6.conf.default.accept_ra_defrtr value should eq 0
  ✔  sysctl-25: Disable the system`s acceptance of router advertisement
     ✔  Kernel Parameter net.ipv6.conf.all.accept_ra value should eq 0
     ✔  Kernel Parameter net.ipv6.conf.default.accept_ra value should eq 0
  ✔  sysctl-26: Disable IPv6 autoconfiguration
     ✔  Kernel Parameter net.ipv6.conf.default.autoconf value should eq 0
  ✔  sysctl-27: Disable neighbor solicitations to send out per address
     ✔  Kernel Parameter net.ipv6.conf.default.dad_transmits value should eq 0
  ✔  sysctl-28: Assign one global unicast IPv6 addresses to each interface
     ✔  Kernel Parameter net.ipv6.conf.default.max_addresses value should eq 1
  ×  sysctl-29: Disable loading kernel modules
     ×  Kernel Parameter kernel.modules_disabled value should eq #<Inspec::Attribute::DEFAULT_ATTRIBUTE:0x000000052722e8 @name="kernel_modules_disabled">
     can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to Array (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_ary gives Inspec::Attribute::DEFAULT_ATTRIBUTE)
  ✔  sysctl-30: Magic SysRq
     ✔  Kernel Parameter kernel.sysrq value should eq 0
  ✔  sysctl-31a: Secure Core Dumps - dump settings
     ✔  Kernel Parameter fs.suid_dumpable value should cmp == /(0|2)/
  ✔  sysctl-31b: Secure Core Dumps - dump path
     ✔  Kernel Parameter kernel.core_pattern value should match /^|?/./
  ✔  sysctl-32: kernel.randomize_va_space
     ✔  Kernel Parameter kernel.randomize_va_space value should eq 2
  ✔  sysctl-33: CPU No execution Flag or Kernel ExecShield
     ✔  /proc/cpuinfo Flags should include NX
Profile Summary: 48 successful controls, 4 control failures, 3 controls skipped
Test Summary: 112 successful, 7 failures, 3 skipped

Answer 1

A few initial comments for posterity:

1. You can check exactly what the control is asserting by looking at the source code
2. You can see what the remediation should be, by checking Dev-Sec's Ansible role
3. Most of your issues seem to be related to missing or incorrect input variables. See the Inspec documentation on that topic

The specific issues you raise:

Check login.defs (4 failed)

This comes from the control os-5:

control 'os-05' do
  impact 1.0
  title 'Check login.defs'
  desc 'Check owner and permissions for login.defs. Also check the configured PATH variable and umask in login.defs'
  describe file('/etc/login.defs') do
    it { should exist }
    it { should be_file }
    it { should be_owned_by 'root' }
    its('group') { should eq 'root' }
    it { should_not be_executable }
    it { should be_readable.by('owner') }
    it { should be_readable.by('group') }
    it { should be_readable.by('other') }
  end
  describe login_defs do
    its('ENV_SUPATH') { should include('/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin') }
    its('ENV_PATH') { should include('/usr/local/bin:/usr/bin:/bin') }
    its('UMASK') { should include(login_defs_umask) }
    its('PASS_MAX_DAYS') { should eq login_defs_passmaxdays }
    its('PASS_MIN_DAYS') { should eq login_defs_passmindays }
    its('PASS_WARN_AGE') { should eq login_defs_passwarnage }
    its('LOGIN_RETRIES') { should eq '5' }
    its('LOGIN_TIMEOUT') { should eq '60' }
    its('UID_MIN') { should eq '1000' }
    its('GID_MIN') { should eq '1000' }
  end
end

The specific assertions that are failing are related to:

• umask
• password age (min/max days, warning)

These use attributes (ie, Inspec input values), which are read higher up in the control:

login_defs_umask = attribute('login_defs_umask', value: os.redhat? ? '077' : '027', description: 'Default umask to set in login.defs')
login_defs_passmaxdays = attribute('login_defs_passmaxdays', value: '60', description: 'Default password maxdays to set in login.defs')
login_defs_passmindays = attribute('login_defs_passmindays', value: '7', description: 'Default password mindays to set in login.defs')
login_defs_passwarnage = attribute('login_defs_passwarnage', value: '7', description: 'Default password warnage (days) to set in login.defs')

The error you are getting:

login.defs UMASK should include #<Inspec::Attribute::DEFAULT_ATTRIBUTE:0x00000005a1ea00 @name="login_defs_umask">
     can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to String (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_str gives Inspec::Attribute::DEFAULT_ATTRIBUTE)

should be expected, given the previous warning Inspec told you:

WARN: Attribute 'login_defs_umask' does not have a value. Use --attrs to provide a value for 'login_defs_umask' or specify a default  value with `attribute('login_defs_umask', default: 'somedefault', ...)`

Either you have an old version of Inspec where the default is not set, or you passed a set of input variables where these values are not set.

os-06: Check for SUID/ SGID blacklist

This control checks the suid of a blacklist. It uses a custom resource suid_check. It essentially find's files with certain characteristics:

def permissions
    output = inspec.command('find / -perm -4000 -o -perm -2000 -type f ! -path \'/proc/*\' ! -path \'/var/lib/lxd/containers/*\' -print 2>/dev/null | grep -v \'^find:\'')
    output.stdout.split(/\r?\n/)
end

Your diff fails because some files match the blacklist, which is again set as an attribute:

blacklist = attribute(
  'blacklist',
  value: suid_blacklist.default,
  description: 'blacklist of suid/sgid program on system'
)

It's default has a method default with a big list of paths. You can pass your own blacklist by setting it in an input file.

sysctl-29: Disable loading kernel modules

I accidentally set echo "1" > /proc/sys/kernel/modules_disabled and now I'm unable to set it back

The kernel documentation says:

Once true, modules can be neither loaded nor unloaded, and the toggle cannot be set back to false.

You probably have to reboot the machine.

package-07: Install syslog server package

The control makes an assertion on a package:

describe package(val_syslog_pkg) do

where val_syslog_pkg is an attribute passed as an input variable:

val_syslog_pkg = attribute('syslog_pkg', value: 'rsyslog', description: 'syslog package to ensure present (default: rsyslog, alternative: syslog-ng...')

In Ubuntu, this package name is syslog-ng.